LDN - Luminis Developer Network

=External Authentication System=

This is yet another TLA (Three Letter Acronym) for a component of the Luminis portal. You can use another LDAP server to let Luminis authenticate against. It will direct all requests to this server for verification of credentials instead of its own. Better yet, you can setup MULTIPLE EAS configurations, to allow for redundancy and fall through. This keeps Luminis specific users (cpadmin) inside of Luminis' LDAP and out of the campus LDAP.

Also, Luminis will "capture" a user's credentials and save them inside of the PDS (Personal Data Store), to use with SSO to external applications. See CPIP for more information...

== Setup ==

Collect the following information about the external LDAP server:

* Address LDAP resides at
* Whether it is secure
* Port number (if not 389)
* Search DN
* Binding format

(for AD, the binding format is <username> @ <LDAP location> (ex: bsimpson@ccsunet.clayton.edu)

== Changes on Luminis platform ==

* Use configman to direct the output of an existing eas to a file.

configman -g security.ias.eas.* > new.eas

This will dump all of the configuration parameters into a file that we can modify and then reimport under a different context.

'''I will be using the context "Luminis"'''

* Change all of the "security.ias.eas." entries to reflect the new context. I did this by a search and replace "security.ias.eas." to "security.ias.eas.Luminis". Save your changes.

* Modify the following values:

security.ias.eas.Luminis.host.name = <LDAP server address>
security.ias.eas.Luminis.searching.dn = <LDAP Search DN>
security.ias.eas.Luminis.searching.user.password = <Reader username>
security.ias.eas.Luminis.searching.user.userid = <Reader password>
security.ias.eas.Luminis.host.port = <389 or something else>
security.ias.eas.Luminis.searching.type = <uid, sAMAccountName, etc>

Luminis has some weird conventions. Firstly, you can either search, or map to a user, but not both. Because of this, you need to enable either searching, or mapping, and disable the other. I recommend searching, as it finds the correct branch, instead of you finding it! If you have difficulties in discovering the Searching DN, look at the Resources section at the bottom of this entry.

* Save your changes, and close the file.

* Import your updated configuration values with the new context by running the command:

configman -i new.eas

* Make sure that "security.ias.eas.is_enabled=true"

* Edit this file: $JAVA_HOME/jre/lib/security/java.security

vim $JAVA_HOME/jre/lib/security/java.security

Change the line that begins: login.config.url.1=... to reflect the new value:

login.config.url.1=file:${java.home}/lib/security/jaas.conf

Save and close.

* Create the jaas.conf file

vim $JAVA_HOME/jre/lib/security/jaas.conf

* Please the EAS systems you wish to use in the jaas.conf file:

jaasEas {
        com.pipeline.security.authen.JaasEasLegacyLoginModule sufficient prefix=security.ias.eas;
        com.pipeline.security.authen.JaasLdapLoginModule sufficient prefix=security.ias.eas.Luminis;

};

Note the parameter "sufficient". This is required to not throw an exception if the first server fails to authenticate the user. This allows for fallthrough to the next server listed. Also, the prefixes will match your context. Either the EasLegacy, or LdapLogin modules will work against LDAP. If you wish to disable an entry, please "//" in front of the line - its just Java after all...

* Save and close jaas.conf

* Restart Luminis:

stopcp
startcp

== Resources ==

The Searching DN path may be difficult to discover. If you are confused about multiple parameters, I might suggest this PHP script for computing permutations of LDAP values (you will need the LDAP mod for Apache installed):

        $ldap_server = array('ldap://server','server');
        $uname = array('cpadmin','cpadmin@lumtest.clayton.edu','uid=cpadmin,ou=People,o=lumtest.clayton.edu,o=cp');

        foreach ($ldap_server as $current_ldap_server) {
                $connect = ldap_connect($current_ldap_server);
                foreach ($uname as $current_uname) {
                        $bind = @ldap_bind($connect,$current_uname,'#PASSWORD#');
                        if ($bind == 1) {
                                die($bind ." ". $current_ldap_server ." ". $current_uname);
                        } else {
                                echo $current_ldap_server ." ". $current_uname . "
";
                        }
                }
        }

The setup includes you listing any possible values for unknown parameters as part of the array at the top of the code. It will loop through all permutations until a successful bind is discovered. It will return a prefix of "1", and the working parameters used. It will also end the process at this point, so it will be listed at the bottom of the output. If a "1" is not prefixed with the values output to the screen, then no successful bind was discovered.

Additionally, most LDAP servers have an "access" log that can be tailed while a successful binding attempt is made from any system. You can view the path to the user in these logs to help in determining the correct path to use.

Also, to just look inside of LDAP, you can use the Java based [http://www-unix.mcs.anl.gov/~gawor/ldap/index.html LDAP Browser]